The world’s largest biometric ID system is in trouble after a new report revealed up to 135 million Indian citizens have had their unique identifiers publicly exposed by government agencies.

The Aadhaar project involves a unique 12-digit identity number which is linked to each person’s demographic as well as biometric data; fingerprints, iris scans and a mugshot are stored on a centralized database.

The card has been rolled out to virtually everyone in the country today and is used to authenticate for some banking services and to consume government services such as unemployment benefit.

However, the Aadhaar project has been strongly criticized by privacy campaigners since its launch in 2009 and personal details have even appeared on Twitter under the AadhaarLeaks hashtag, along with other personal identifiers.

As a result, The Centre for Internet and Society decided to take a look, and its findings appear to have borne out these concerns.

It noted four government schemes which use Aadhaar numbers and financial information: the Rural Development Ministry’s National Social Assistance Programme and National Rural Employment Guarantee Act (NREGA), and the regional Andhra Pradesh government’s Daily Online Payment Reports under NREGA and Chandranna Bima Scheme.

It claimed:

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at.”

It appears the government’s open data drive resulted in the accidental exposure of the highly sensitive details, with data masking inconsistent and ineffective, the report found.

In addition, the total figure for affected records could actually be more than double 135 million, if other schemes using the so-called Direct Benefit Transfer (DBT) are taken into account.

The report authors explained:

“While these numbers are only from two major government programs of pensions and rural employment schemes, other major schemes, who have also used Aadhaar for DBT could have leaked PII similarly due to lack of information security practices. Over 23 crore [230m] beneficiaries have been brought under Aadhaar program for DBT, and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number.”

The report was issued just a day after the Modi administration reportedly admitted for the first time that Aadhaar data had likely to have been leaked online.

As such, it should serve as a warning to governments considering the same. Identifiers like this are highly sought after by fraudsters especially when linked with other PII as they are tough to replace and so have a long shelf life, as well as being useful to commit a range of identity fraud.